WordPress is a blogging platform developed using the PHP language. cross-site scripting vulnerability exists in versions prior to WordPress plugin Caldera Forms 1.9.7. The vulnerability stems from the plugin’s failure to validate and escape cf-api parameters before outputting them back to the response, which can be exploited by attackers to cause reflected cross-site scripting.